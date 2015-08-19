On Tuesday, Netflix, working in conjunction with Google and CERT/CC, published a security advisory covering a series of vulnerabilities that enable denial of service attacks against servers running HTTP/2 services.

HTTP/2, like earlier versions, governs the application layer of the internet stack; it runs atop the transport layer (TCP), the network layer (IP), and data link layer of the internet. The eight CVEs disclosed do not allow information disclosure or modification, but they could be employed to overload servers.

"Today, a number of vendors have announced patches to correct this suboptimal behavior," the media streaming biz said in its post. "While we haven’t detected these vulnerabilities in our open source packages, we are issuing this security advisory to document our findings and to further assist the Internet security community in remediating these issues."

Seven of the flaws were identified by Jonathan Looney of Netflix, and the eighth (CVE-2019-9518) which was found by Piotr Sikora of Google.

Netflix, which characterized the severity of the flaws as "high," did not name the vendors affected by vulnerable HTTP/2 implementations but CERT/CC has.